Setup pfSense 2.3.2 with VMWare ESXi 6 on rented dedicated server.

This guide assumes limited but some knowledge of ESXi and pfSense.

Requirements:

Rented dedicated server with a failover IP and ESXi 6 already included.

Goals:

  1. Install and configure ESXi
  2. Install and configure Pfsense

1) Install and Configure ESXi

Create and buy a Failover IP from your dedicated server provider. This is done with the IP settings of your dedicated server providers Control Panel. In our Example we use OVH. OVH comes with what is called a virtual MAC addresses for the Failover IP, this is required.

Install ESXi from the dedicated server control panel.

Once installed go to the dedicated server IP address in a web browser and download the vSphere Client.

Connect to your dedicated server IP using the vSphere client using the login and password that was supplied through email.

Once logged in to your vSphere Client, Click on the Host, click on the configuration tab, click on networking, click on add networking.

image1

Click next through the wizard with default options, to create a new standard vSwitch.

Download and upload the ISO that will be required.

PfSense amd64 -> https://www.pfsense.org/download/
uBuntu -> http://www.ubuntu.com/download/desktop

Download the ISO to your desktop computer. To upload them for use with ESXi. Go to host configuration and storage. Then right click on the datastore and select Browse Datastore. Then create a new directory called “ISO” for storing your ISO images. Click on the ISO directory and then click on the Upload icon on the toolbar of the Datastore browser. Upload the ISO Files that was downloaded.

image2

2) Install and Configure Pfsense

Create a new virtual machine. Select FreeBSD 64bit from the list of OS. We need to add a second network interface during hardware customization. Change the cdrom drive to boot off the pfSense ISO that was uploaded earlier and make sure it is connected. Set one network interface to be on the Virtual machines network and the other to be on the other network that you created earlier. Increase the RAM to 4gb or more and set 2 cores for the CPU.

image3
Ignore the second CDROM that was added by mistake. The VM Network will be our PFsense WAN adapter.

Important: Before you start up the pfsense VM. Click on the network adapter that is going to be the WAN, network adapter 1. Then set the MAC Address to manual and input the virtual mac address that was assigned to the failover IP.

Now start up PFsense. To make configuring pfSense easier, we can do it from the web interface. To do this we need to run ubuntu live cd within the pfSense lan vSwitch network.

Create a new virtual machine picking ubuntu 64bit from the list. Add the ubuntu ISO as a boot option on the cdrom hardware configuration. Set the network interface to be in the pfsense lan vswitch. Once booted select the option to try ubuntu and boot from the livecd. Once booted, load up Firefox and go to 192.168.1.1 and login with admin/pfsense.

Set your pfSense WAN interface to the failover IP and /32. Input the virtual MAC address in to the MAC address field on the interface.

image4

Now we need to add the gateway. In the latest PFSense there is an option to permit the use of gateways outside of the subnet. This new feature negates the need to run shell commands to setup the route.

Click on System, Routing, Add gateway.

image5

The gateway of your Main IP not your failover IP,  the IP that you are connecting to vsphere client on and .254 as the last octet. Example ip address is 99.23.23.54, gateway would be 99.23.23.254.

Select option to make it the default gateway.

Important: Then click the advanced button and enable the option right at the bottom. “Use non-local gateway through interface specific route.” Click save.

Now go back to the WAN interface and make sure the Gateway is assigned to the WAN interface.

You should now have internet working on pfsense and the ubuntu live CD. Test to confirm.

Any Virtual machines that require internet access should be put in to the pfSense LAN vSwitch and DHCP will auto configure.

Upgrade FreeBSD 10.2 – 10.3

Stop any services that you have running. Disable any services from startup in your rc.conf by setting them to NO. This might not be necessary or a big deal a lot of the time. But may be a good idea to stop them.

Run as root.

freebsd-update fetch
freebsd-update install
freebsd-update upgrade -r 10.3-RELEASE
freebsd-update install
shutdown -r now
freebsd-update install
shutdown -r now
uname -a

Updating FreeBSD ports with portmaster without prompts

Update the port collection:

portsnap fetch update

Using Portmaster check for updated ports:

portmaster -L | more

Update all the main applications first or top level ports.

Update one port:

portmaster -yd –no-confirm wget

-y  answer yes to all user prompts for the features below
-d  always clean distfiles
–no-confirm  do not ask the user to confirm the list of ports to be installed
and/or  updated before proceeding.

Check for any ports that still require updates

portmaster -L | more

Update all remaining ports without prompts:

portmaster -dya –no-confirm

-a     check all ports, update as necessary

 

Setup DD and DTS bitstreaming with MPC-BE and LAV filters

Goals:

1) Install MPC-BE and LAV filters and enable bitstreaming of multi-channel audio to an AV receiver.

Requirements:

1) An SPDIF (optical) audio cable or hdmi cable to an AV Receiver.

Steps:

1) Install mpc-be and LAV filters 64bit
2) Configure mpc-be
3) Configure LAV filters.

Step 1) Install mpc-be and LAV filters

64bit Download mpc-be and LAV filters 64bit. It is ok to install the 32bit with the joint installers. Default install options can be used for this guide.

Step 2) Configure mpc-be

Open mpc-be, open mpc-be options. Select External Filters within mpc-be options. Click Add Filter. Add LAV Filters, LAV Audio Decoder, LAV Splitter, Splitter Source, LAV Video Decoder. Set Each LAV filter to “prefer”. Where it says “set merit”.  OK the options.

image1

Re-Open mpc-be and play a video to confirm that LAV filters is being used. Right click on the video while it is playing and go to Filters on the context menu. It should look like the screenshot below if LAV filters is being used.

image2

Step 3) Configure LAV filters.

image3

From the right click context menu that was opened earlier. Click on LAV Audio Decoder to enter LAV Audio Decoder properties. Enable the Bitstreaming by selecting the Dolby Digital and DTS codecs.  OK the Properties. Reopen mpc-be to apply the changes.

Pfsense 2.2: Setup Wireless N using pci-e WIFI card

Goals

1) Turn PFSense in to a Wireless N Access Point using an internal pci-e WIFI Card.

Requirements:

1) Pfsense 2.2 install on a physical device, with a compatible internal WIFI card.
2) See compatible cards: https://doc.pfsense.org/index.php/Supported_Wireless_Cards

In this example I will be using: D-Link DWA-556 Xtreme N 300M PCI-Express AR5418

Steps

1) Add the WIFI interface
2) Configure the WIFI interface
3) Setup DHCP for the interface
4) Add the Allow all firewall rule for the interface

Step 1) Add the WIFI interface

Add the interface by going to Interfaces->(assign)
Click the + to add a new interface
On the drop down select your wireless adapter. Should be ath0 orsimilar.

image1

Step 2) Configure the WIFI interface

Click on the new interface Title usually “opt1” so that we can edit the interface. (Alternatively go to interfaces and click on the new interface from there.)
Click to enable the new interface.
Name the interface “WIFI”
Set the ipv4 IP Address to 5.5.5.1 with a cidr of /24
Gateway does not need to be set.

image2

Set the standard to 802.11ng
Set the Channel to one that is least used around your area.
Set the region information under regulatory settings.

image3

Set the Mode to Access Point
Set the SSID as desired
Set the Minimum wireless standard to 802.11n
Enable WME tickbox
Enable WPA and set a passphrase
Set WPA Mode to WPA2
Set WPA Pairwise to AES

image4

Save the configuration

Step 3) Setup DHCP for the interface

Go to Services->DHCP Server
Select the WIFI interface Tab.
Enable DHCP on the interface Tickbox.
Set the Range from: 5.5.5.100 to 5.5.5.150

image5

Save the DHCP server configuration.

Step 4) Add the Allow all firewall rule for the interface

Go to Firewall->Rules
Select the WIFI interface (tab)
Click add new rule.
Set the TCP/IP Version to TCP/UDP
Set the Source to WIFINET (when WIFI is the name of the WIFI interface)
Set the Destination to any

image6

Saving the configuration.
Firewall rules should look like this, to allow all outbound traffic on the interface.

image8

Go to Status->Interfaces

image7

Additional information:

1) As of PFSense 2.2 some wireless N cards are supported.

2) If changing modes between g and n, pfsense may need a reboot before it goes in to n mode.

Setup Freebsd PF on a single NIC seedbox

Goals:

1) Setup PF on a seedbox.

Requirements:

1) Dedicated server with root access.

Step 1) Configure pf

As root make a note of your primary interface, usually em0 or rm1 or similar.

ifconfig

As root add PF kernel module

kldload pf

Create a new pf.conf file if one does not already exist.

ee /etc/pf.conf

Example pf.conf where:
Interface = em0
SSH port number = 1850 (should change to 22 if ssh port on default)
Transmission port number = 7140

## pf.conf FreeBSD 10.1

####### Interfaces

ext_if = “em0”

####### Variables

services_in = “{ 1850, 7140 }”

######## Options:
set block-policy drop
set debug urgent
set limit { frags 10000, states 30000 }
set loginterface $ext_if
set optimization normal
set ruleset-optimization none
set skip on lo
set state-policy if-bound

######## Normalization

# Scrub
scrub in all no-df min-ttl 100 max-mss 1440 fragment reassemble

#
# Packet Filtering
#

# Block invalid packets
block in log quick on $ext_if from no-route
block in log quick on $ext_if from urpf-failed

# Incoming traffic on $ext_if
block drop in on $ext_if all

# Pass in
pass in on $ext_if proto tcp from any to $ext_if port $services_in keep state

# Outgoing traffic on $ext_if
pass out on $ext_if keep state

This will block all incoming and allow all outgoing by default. With exceptions for SSH and Transmission.

To enable PF and Flush PF and start pf with the config from /etc/pf.conf. (note: this will disconnect your ssh session)

pfctl -e | pfctl -F all | pfctl -f /etc/pf.conf

PF is now enabled. Set your transmission as follows:

Disable random port.
Set incoming port to 7140.

How to setup a SSH Tunnel using Putty and Firefox from Windows

Goals:

1) Setup SSH tunnel for use as a http proxy.

Requirements:

1) A dedicated server or vps running Freebsd/Linux
2) A windows client with Firefox and Putty

Step 1) configure ssh tunnel

Load the saved putty session that you want to add the SSH tunnel to.

image3
Load your saved session.
Go to tunnels under SSH
select “Dynamic” check box and insert your desired port number in to the Source port. Example used 16666

image1

Save your session and connect to your server.
Step 2) Configure Firefox Proxy settings, Add localhost and the port you specified to the Socks v5 proxy and enable remote dns.

image2

Test the SSH tunnel is working by going to http://myip.dk inside the browser, it should now display your server IP address not your local IP address.